Potential Problems - ISP building 'root mirrors'
brettcarr at ripe.net
Mon Jun 27 20:29:14 UTC 2005
On Mon, 27 Jun 2005, Steve Mueller wrote:
> I've been tasked with looking into the root mirrors my predecessor put
> place. I think this is a really bad idea, but some pointy haired person
> wrote up an executive report that said the root servers are a DoS attack
> away from bringing our network to a halt.
> Like I said, I don't really agree with this whole idea, but I'm going to
> stay as openminded about it as possible until I see some data/facts.
> Anyone got some references on this? Links, Presentations, general
> awareness regarding this topic.
> I've seen (and saved) discussions on this I found in posts of Usenet
> past. Good info there.
> If we're going to keep doing this, I want to insure it is done right.
> If we shouldn't be doing this at all, I need to backup my thoughts with
> some cold hard facts.
Well in the days when there were only 13 (or less) root servers and most
of them were in the US then maybe a sustained dos attack was a real
threat, however these days K alone has more than 14 instances distributed
all over the world, and most of the other operators are using anycast to
distribute the load and the redundancy to many locations, I think the risk
is much much less than it used to be. Its difficult however to counter the
atcual arguements for mirroring root servers unless we can see what they
are. One thing to bear in mind though is that if the root servers did
disapear for a sustained period then you may be able to still resolve
other people but they wouldn't be able to resolve you back :)
Brett Carr Ripe Network Coordination Centre
System Engineer -- Operations Group Singel 258 Amsterdam NL
GPG Key fingerprint = F20D B2A7 C91D E370 44CF F244 B6A1 EF48 E743 F7D8
More information about the bind-users